From 529d36ca659075676cd9e1d1830b6f4973be4885 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Raynaud Date: Tue, 25 Jul 2023 18:46:16 +0200 Subject: [PATCH 1/3] Update relay configuration Make the squid proxy completely anonymous and deactivate cache. --- .../manual/getting-started/run-signer-node.md | 30 +++++++++++++++++++ .../manual/getting-started/run-signer-node.md | 30 +++++++++++++++++++ 2 files changed, 60 insertions(+) diff --git a/docs/root/manual/getting-started/run-signer-node.md b/docs/root/manual/getting-started/run-signer-node.md index 3c8b80f7d44..7883750b421 100644 --- a/docs/root/manual/getting-started/run-signer-node.md +++ b/docs/root/manual/getting-started/run-signer-node.md @@ -370,6 +370,35 @@ acl SSL_port port 443 # Allowed traffic http_access allow relay_internal_ip aggregator_domain SSL_port +# Do not disclose block producer internal IP +forwarded_for delete + +# Turn off via header +via off + +# Deny request for original source of a request +follow_x_forwarded_for deny all + +# Anonymize request headers +request_header_access Authorization allow all +request_header_access Proxy-Authorization allow all +request_header_access Cache-Control allow all +request_header_access Content-Length allow all +request_header_access Content-Type allow all +request_header_access Date allow all +request_header_access Host allow all +request_header_access If-Modified-Since allow all +request_header_access Pragma allow all +request_header_access Accept allow all +request_header_access Accept-Charset allow all +request_header_access Accept-Encoding allow all +request_header_access Accept-Language allow all +request_header_access Connection allow all +request_header_access All deny all + +# Disable cache +cache deny all + # Deny everything else http_access deny all EOF' @@ -379,6 +408,7 @@ With this configuration, the proxy will: - accept incoming traffic originating from the internal IP of the block-producing machine - accept incoming traffic directed to the listening port of the proxy - accept incoming HTTPS traffic proxied to `mithril.network` domain hosts +- anonymize completely the traffic and avoid disclosing any information about the block-producing machine - deny all other traffic Restart the service: diff --git a/docs/versioned_docs/version-maintained/manual/getting-started/run-signer-node.md b/docs/versioned_docs/version-maintained/manual/getting-started/run-signer-node.md index 3c8b80f7d44..7883750b421 100644 --- a/docs/versioned_docs/version-maintained/manual/getting-started/run-signer-node.md +++ b/docs/versioned_docs/version-maintained/manual/getting-started/run-signer-node.md @@ -370,6 +370,35 @@ acl SSL_port port 443 # Allowed traffic http_access allow relay_internal_ip aggregator_domain SSL_port +# Do not disclose block producer internal IP +forwarded_for delete + +# Turn off via header +via off + +# Deny request for original source of a request +follow_x_forwarded_for deny all + +# Anonymize request headers +request_header_access Authorization allow all +request_header_access Proxy-Authorization allow all +request_header_access Cache-Control allow all +request_header_access Content-Length allow all +request_header_access Content-Type allow all +request_header_access Date allow all +request_header_access Host allow all +request_header_access If-Modified-Since allow all +request_header_access Pragma allow all +request_header_access Accept allow all +request_header_access Accept-Charset allow all +request_header_access Accept-Encoding allow all +request_header_access Accept-Language allow all +request_header_access Connection allow all +request_header_access All deny all + +# Disable cache +cache deny all + # Deny everything else http_access deny all EOF' @@ -379,6 +408,7 @@ With this configuration, the proxy will: - accept incoming traffic originating from the internal IP of the block-producing machine - accept incoming traffic directed to the listening port of the proxy - accept incoming HTTPS traffic proxied to `mithril.network` domain hosts +- anonymize completely the traffic and avoid disclosing any information about the block-producing machine - deny all other traffic Restart the service: From bdc319f2924b0af5f05667c8c04fe633c031c658 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Raynaud Date: Tue, 25 Jul 2023 18:47:45 +0200 Subject: [PATCH 2/3] Update relay configuration in infra --- mithril-infra/assets/docker/squid/squid.conf | 29 ++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/mithril-infra/assets/docker/squid/squid.conf b/mithril-infra/assets/docker/squid/squid.conf index 47b051e9de5..004c079c44f 100644 --- a/mithril-infra/assets/docker/squid/squid.conf +++ b/mithril-infra/assets/docker/squid/squid.conf @@ -3,5 +3,34 @@ # Listening port (port 3128 is recommended) http_port 3128 +# Do not disclose block producer internal IP +forwarded_for delete + +# Turn off via header +via off + +# Deny request for original source of a request +follow_x_forwarded_for deny all + +# Anonymize request headers +request_header_access Authorization allow all +request_header_access Proxy-Authorization allow all +request_header_access Cache-Control allow all +request_header_access Content-Length allow all +request_header_access Content-Type allow all +request_header_access Date allow all +request_header_access Host allow all +request_header_access If-Modified-Since allow all +request_header_access Pragma allow all +request_header_access Accept allow all +request_header_access Accept-Charset allow all +request_header_access Accept-Encoding allow all +request_header_access Accept-Language allow all +request_header_access Connection allow all +request_header_access All deny all + +# Disable cache +cache deny all + # Allowed traffic http_access allow all \ No newline at end of file From 3b1bc8f403da56b43da01c006c621bfb7d530ccd Mon Sep 17 00:00:00 2001 From: Jean-Philippe Raynaud Date: Tue, 25 Jul 2023 18:48:15 +0200 Subject: [PATCH 3/3] Update infra version --- mithril-infra/assets/infra.version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mithril-infra/assets/infra.version b/mithril-infra/assets/infra.version index a1e1395acab..84aa3a7dd73 100644 --- a/mithril-infra/assets/infra.version +++ b/mithril-infra/assets/infra.version @@ -1 +1 @@ -0.1.7 \ No newline at end of file +0.1.8 \ No newline at end of file